Configuring the DT3 web server certificate and DDNS courtesy of a Synology NAS

I use the DT3 web server all the time and have had to work through a number of issues to get to where I’m at today. Along that path, I learned that I could configure it with a certificate for better security courtesy of a few users who helped me on my journey–hat tip in particular to @chrillek and @BLUEFROG for all their aid. After finally figuring it all out and getting it working properly, I thought I’d come back and provide a simple how-to for people in a similar situation.

First, you’re going to need a certificate. You can get one for free from Let’s Encrypt, and you can find some general instructions to use it with the macOS via Certbot. I was prepared to jump through their procedural hoops, which largely boil down to setting up a web server and using a tool to demonstrate you have control over it so they’ll issue you the cert for the domain you operate, when I learned I might have an even simpler way to snag a certificate.

To wit, if you own a Synology NAS, you can probably get it to do all the hard work for you–including setting you up with their Dynamic DNS (DDNS) service all for free. In my particular case, I already had a DDNS service configured and have used it for years to access machines on my home network when I’m away. But when I learned that my Synology NAS can shoulder both the DDNS and get me the certificate for free, it was too good to pass up. Here’s what I did:

  1. Logged into the admin web site for my NAS. Started the control panel, chose the “External Access” option from the “Connectivity” option on the left, and clicked the DDNS option at the top. I could then click the “Add” button to create my own Synology DDNS account which gave me my own subdomain to use. I used this support article to help me through it.
  2. The next step was to get the actual certificate files off the NAS, which turned out to be much easier than I’d hoped. I found this article which explains where they’re kept, and that allowed me to copy the files off my NAS. That gave me a number of files, and I had to fiddle around a bit to figure out which to use.
  3. The two files that you need are cert.pem and privkey.pem, and you’ll need them both because the DT3 server configuration section of the application preferences requires either that you’ve installed the certificate on your macOS or that you load it from a P12 file. The following command will let you use those two *.pem files to produce a new *.p12 file in the proper forrmat:

openssl pkcs12 -export -out myshinyDT3cert.p12 -in cert.pem -inkey privkey.pem

Don’t be alarmed that it asks you for a password; you’ll just need to make a note of that and use it in the next step. Speaking of which…

  1. Now you can click the button in the DT3 web server preferences to load a *.p12 file, point it at the new file you just produced (myshinyDT3cert.p12), and it should load it properly. You should then be able to choose your subdomain from the drop-down above it, which is all it takes.

The next time you start the DT3 web server, it should allow you HTTPS access on your server port, which is great.

1 Like

Excellent write up! Thanks for sharing this.

You’re welcome. It’s been quite a journey, and I always appreciate the arrows taken by pioneers ahead of me. I figure it’s my turn to provide a little armor!